The long and short of it is most
of theknownInternet
was vulnerable to Heartbleed. Most SSL bugs only allow attackers to
intercept encrypted data. This one was more severe because it also
allowed an attacker to read the memory of a remote SSL process,
meaning that cryptographic keys could also have been
compromised.

While we have no reason to believe that this vulnerability has
been used to attack us, we take a very cautious approach to
security. Sometimes that’s adding stripe.com to
the Chrome HSTS pre-loaded
list; sometimes
that’s tuning
our ciphers
for perfect
forward secrecy (which prevents an attacker with your compromised
keys from decrypting past SSL sessions). In this case, it was
responding under the assumption that public exploits were just hours
away.

Our response

One of the most important responsibilities of a security team is
to respond to critical vulnerabilities as quickly as possible. With a
bug like Heartbleed, there’s a limited window between when the
vulnerability is announced, public patches are released, and exploit
code becomes freely available for any script kiddie to use. The right
strategy is sometimes to wait for vendor-supplied packages to be
available, but in other cases (such as with the CRIME
vulnerability) we’ve been able to patch faster by building our own
packages.

Here was the timeline of our response (all in Pacific time on
Monday):

11:29 AM: We were alerted to Heartbleed. We noticed Ubuntu had
yet to release packages, so we proactively started building our
own.

2:30 PM: Shortly after we finished building our packages, Ubuntu released theirs.

3:45 PM: We had fixes rolled to all our Internet-facing servers.

4:10 PM: The first public exploit code we know of was released.

Since then, we’ve worked around the clock on rolling our SSL keys,
upgrading our internal servers, and revoking the old keys (all now
completed). We’ll be invalidating all existing login sessions shortly, so
don’t be surprised if you have to log back into your Stripe
account. We are also upgrading our client libraries to support
certificate revocation; we’ll post an update when this is done.

What you should do

Here are some concrete steps you should take to improve the security of your Stripe account: